A Backdoored Package Lurked in a Google-Run Go Mirror Proxy for Three Years

A Mirror Proxy with a Dark Side

A mirror proxy service run by Google for the developers of the Go programming language, known as the Go Module Mirror, has been hosting a backdoored package for over three years. This service caches open-source packages available on GitHub and elsewhere, making downloads faster and ensuring compatibility with the rest of the Go ecosystem. By default, when someone uses command-line tools built into Go to download or install packages, requests are routed through the service.

Caching in

The Go Module Mirror has been hosting a backdoored version of a widely used module since November 2021. The malicious file uses "typosquatting," a technique that gives malicious files names similar to widely used legitimate ones and plants them in popular repositories. This means that if someone makes a typo or a minor variation from the correct name when fetching a file with the command line, they will land on the malicious file instead of the one they wanted.

The Malicious Package

The malicious module was named boltdb-go/bolt, a variation of widely adopted boltdb/bolt, which 8,367 other packages depend on to run. The malicious package first appeared on GitHub. The file was eventually reverted back to the legitimate version, but by then, the Go Module Mirror had cached the backdoored one and stored it for the next three years.

A Design Flaw Exploited

"The success of this attack relied on the design of the Go Module Proxy service, which prioritizes caching for performance and availability," Socket researchers wrote. "Once a module version is cached, it remains accessible through the Go Module Proxy, even if the original source is later modified. While this design benefits legitimate use cases, the threat actor exploited it to persistently distribute malicious code despite subsequent changes to the repository."

Conclusion

The discovery of the backdoored package highlights a critical design flaw in the Go Module Mirror. The service’s caching mechanism, while useful for performance and availability, can be exploited to distribute malicious code. This incident serves as a reminder of the importance of security in software development and the need for continuous vigilance.

FAQs

Q: What is the Go Module Mirror?

A: The Go Module Mirror is a mirror proxy service run by Google for the developers of the Go programming language, which caches open-source packages available on GitHub and elsewhere.

Q: How did the backdoored package remain undetected for three years?

A: The malicious package was cached by the Go Module Mirror, making it accessible through the service even after the original source was modified.

Q: How many packages depend on the boltdb/bolt package?

A: 8,367 packages depend on the boltdb/bolt package, making it a widely used and critical component of the Go ecosystem.